Problem

How to troubleshoot insufficient DCOM security privileges.

Solution

Under certain circumstances troubleshooting DCOM security privileges may be necessary. For Example a Backup Exec service may not start due to insufficient DCOM privileges.*Note: DCOM permissions should only be configured by a Microsoft Support Professional or by an individual that thoroughly understands the effects of such changes.

1. Check the Windows System Event log for source DCOM errors. Below is an example of a source DCOM event.

Fig 1

The DCOM event indicates a COM Server application does not have ‘Local Activation Permission’ for a particular CLSID.

Resolution:

0. Enable verbose DCOM logging (OLE):

Open the registry with regedit, go to HKLM\Software\Microsoft\Ole

and create two values:

CallFailureLoggingLevel  REG_DWORD 1

ActivationFailureLoggingLevel REG_DWORD 1

reference: http://msdn.microsoft.com/en-us/library/windows/desktop/ms687309%28v=vs.85%29.aspx

1. Take note of the exact ‘CLSID’ and ‘user’ noted within the description of the Windows DCOM System Event. (See Figure 2)

Fig 2

In this example, we see the CLSID to be {555F3418-D99E-4E51-800A-6E89CFD8B1D7}

2. Click Start | Run | Regedit

Warning: Incorrect use of the Windows registry editor may prevent the operating system from
functioning properly. Great care should be taken when making changes to a Windows registry. Registry
modifications should only be carried-out by persons experienced in the use of the registry editor
application. It is recommended that a complete backup of the registry and workstation be made prior to
making any registry changes.

Goto the following registry key:
HKEY_CLASSES_ROOT\CLSID\

Locate the ‘AppID’ String Value key and note the Data Value. (See Figure 3)

Fig 3

The AppID string indicates a value of {B1B9CBB2-B198-47E2-8260-9FD629A2B2EC} and matches what is shown in the Event Properties window.

3. Click Start | Run | dcomcnfg

4. A Windows Security Alert pop-up will appear, click Unblock.

5. From the dcomcnfg Console Root select Component Services | Computers | My Computer | DCOM Config

Locate the DCOM Object that matches the Value Data from the ‘AppID’ Registry Value Data noted in step 2. (See Figure 4)

Fig 4

6. Right Click on the DCOM Object that matches and select ‘Properties’ and select the ‘Security’ tab

Fig 5

7. Under ‘Launch and Activation Permissions’ select the ‘Customize’ radio button and click Edit

Fig 6

8. Make sure the user referenced in the above Windows System event source is apart of the problem CLSID.

Click ‘Apply’ and ‘OK’

The ‘LOCAL SERVICE’ user is added in this example because the ‘Local System’ was selected to be used for the ‘DCOM Server Process Launcher’ service as shown in the Windows Services Applet. (See Figure 8)

9. Reboot the Workstation or Server where this DCOM change occurred.